Penetration Testing and Vulnerability Assessment - NASA

Document Sample
Penetration Testing and Vulnerability Assessment - NASA Powered By Docstoc
					Penetration Testing and Vulnerability Assessment:

     “The difference between theory in practice is
             small in theory, but great in practice.”

                   Ernest Lopez & Matt Linton
                       Ames Research Center
                             August 17, 2010
                      What is penetration testing?
                      What is the difference between Penetration
                       Testing and Vulnerability Assessment
                      What is within scope of a typical Penetration
                      Why Bother?
                      A high-level how-to: ARC's Pen Testing
                      Detailed how to: ARC’s testing methodology.
                      Outputs from Penetration Testing at ARC.

Presentation Title
March 5, 2010
                     What is Penetration Testing?
                      A penetration test is a method of evaluating the security of a
                       computer system or network by simulating an attack from a malicious
                       source, known as a Black Hat Hacker, or Cracker. – Wikipedia

                      What is the difference between a Pen Tester and a Hacker?
                       » Pen Tester’s have prior approval from Senior Management
                       » Hackers have prior approval from themselves.

                        » Pen Tester’s social engineering attacks are there to raise awareness
                        » Hackers social engineering attacks are there to trick the DMV into divulging
                          sensitive information about the whereabouts of their estranged ex-spouse.

                        » Pen Tester’s war driving = geeks driving cars with really long antennas,
                          license plate reading “r00t3d” while dying their hair green looking to discover
                          the hidden, unapproved networks your users thought it would be OK to
                          install for you.
                        » Hackers wireless war driving doesn’t happen so often because 14 year olds
                          typically don’t have their license yet.

                        » Pen-testers have pink mohawks and wear trenchcoats in July.
Presentation Title      » Hackers have pink mohawks and wear trenchcoats.... that they bought with
—3—                       your bank account info.
March 5, 2010
                     Difference between Penetration Testing and
                     Vulnerability Assessment?

                       Vulnerability Assessment:
                        » Typically is general in scope and includes a large assessment.
                        » Predictable. ( I know when those darn Security guys scan us.)
                        » Unreliable at times and high rate of false positives. (I’ve got a
                        » Vulnerability assessment invites debate among System Admins.
                        » Produces a report with mitigation guidelines and action items.

                       Penetration Testing:
                        » Focused in scope and may include targeted attempts to exploit
                          specific vectors (Both IT and Physical)
                        » Unpredictable by the recipient. (Don’t know the “how?” and
                        » Highly accurate and reliable. (I’ve got root!)
                        » Penetration Testing = Proof of Concept against vulnerabilities.
                        » Produces a binary result: Either the team owned you, or they
Presentation Title
March 5, 2010
                     Scope of Penetration Testing
                      Targeted Recon.
                       » Targeted exploitation of vulnerable software.

                      Social Engineering
                       » Hi HelpDesk…I’m Mr. Jones…Can you tell me what my
                         password is?

                      Physical facilities audit
                       » Hmm, I forgot my badge... but there's 200 yards of fence
                         missing on the east side of the center

                      Wireless War Driving
                       » Detection of rogue or weakly encrypted AP’s.

                      Dumpster Diving
Presentation Title
                       » How much fun can I have in the dumpster…whoops…I’ve
March 5, 2010
                         found someone’s Tax forms with SSN.
                     Why Bother?
                      Active pen-testing teaches you things that security planning will not
                        » What are the vulnerability scanners missing?

                      Are your users and system administrators actually following their own policies?
                        » host that claims one thing in security plan but it totally different in reality

                         Audit Physical Security
                        » Just what is in that building no one ever goes in?
                        » The strongest network based protections are useless if there is a accessible
                          unlocked terminal, unlocked tape vault, etc.

                      Raises security awareness
                       » I better not leave my terminal unlocked because I know that those security
                          guys are lurking around somewhere.

                      Helps identify weakness that may be leveraged by insider threat or accidental

                      Provides Senior Management a realistic view of their security posture

                      Great tool to advocate for more funding to mitigate flaws discovered
Presentation Title
—6—                   If I can break into it, so could someone else!
March 5, 2010
                     High Level Penetration Testing at Ames

                      Quarterly Penetration Tests performed at ARC
                      Rules of Engagement Document approved by CIO office
                       (Do’s and Dont’s)
                      Always carry a “Get out of jail” card.
                      Always be humble.

                      Scope of ARC Testing
                       » Vulnerability Scanning and real world exploits (Metasploit)
                       » Social Engineering (Phishing, pharming, spearphishing)
                       » Dumpster Diving
                       » Physical Facilities Audit ( Unlocked terminals, unsecure
                         buildings and labs)
                       » Wireless War Driving

Presentation Title
March 5, 2010
                     Penetration Testing at Ames


                        Network Vulnerability Testing
                        Web Vulnerability Testing
                        Wireless War Driving / Walking
                        Phone Network Testing
                        Social Engineering Testing
                        Walk-throughs and Dumpster Diving
                        Physical Security Auditing

Presentation Title
March 5, 2010
Vulnerability Assessment
Penetration Test
                     Network Vulnerability Testing
                     “The only rules that really matter are these: what a man can do and what a man
                        can't do.”
                             – Jack Sparrow

                      ABOUT ASSUMPTIONS:
                        » We don't want to impact operations, so no DOS, no offensive disabling of
                      Above assumptions impact tests, so other assumptions made. Consider
                       though, that if you find a vuln that'd allow you to bypass IDS/IPS, that such
                       findings cannot be used as mitigations.

                      Rules of Engagement:
                        » Consistent with RoE document, we don't perform tests if we think they'll
                          damage/interrupt important work.
                        » Example: “Damaging” tests turned off in Nessus; SQL injection of
                          production/mission systems; etc
                        » Notify sysadmins/staff for critical and mission systems of pen-test window,
                          so they can be on hand in case of crashes, etc. (Note: Decreases
Presentation Title
                          effectiveness but is a necessary trade-off)
March 5, 2010
                     Network Vulnerability Testing
                     “If you know the enemy and know yourself you need not fear the results of a
                         hundred battles.”
                              – Sun Tzu

                                               A SUPER BASIC Rundown:

                        Check hacker boards, look for pre-assessed/exploted center resources
                        Perform full external scans on center (note whether ops blocks/calls/etc)
                        Note any exploitable services, etc
                        Confirm exploitation... by exploiting them.
                         » (metasploit, backtrack and other tools can be helpful here)

                      From each exploitable service, perform full internal scans of that network,
                      Run sniffers on that network to gather information/credentials/etc
                      Install a 'dummy' host on that nework to download/upload malware:
                         Tests for IT Ops responses, exfiltration catch by IDS, reports by sysadmins,

Presentation Title    From each exploitable system found above: Lather, rinse, repeat.
March 5, 2010
                     Web Vulnerability Testing
                     “Just cause you got the monkey off your back doesn't mean the circus has left
                            – George Carlin

                     During network testing, check out some of the websites your developers have put
                       together. If possible (in scope), get permission to test sites that contractors run
                       on behalf of NASA.

                     Remember, many systems now considered 'critical' are web systems throughout.
                       An agency can be 'owned' without touching a router or system, if you nail IFMP
                       (for example)

                     Seen on one contractor system (the login page):

                     <!-- 0) SQL2K=true
                        ZZ;SQL=undefined --->

                      Fuzzers, webapp tests, OWASP. Other testing frameworks are useful here
                      Consider metasploit ;)
Presentation Title
March 5, 2010
                     Wireless War Driving / Walking
                     “I have no special talent. I am only passionately curious.” – Albert Einstein

                      Is your campus wireless accessible from outside the campus? Have you
                       checked? Can it be cracked?
                      Drive the campus w/ Laptops equipped with 802.11, antennas if possible.
                      Record any wireless network NOT authorized by the center.
                      Shut down if possible!

                      Bluetooth? Do the same! See what wireless shares are being broadcast
                       (short-range) from inside locked buildings to the outsides of the building, lab,

                      Look for “hpsetup”, “Free Public Wifi” (a worm), “linksys” and others.

                      In the future, “MiFi” mobile hotspots in employees' possession are going to
                       become numerous accidental wifi connection points.

                      TIP: Use a cell w/ GPS enabled to record GPS location of hotspots found.

Presentation Title
March 5, 2010
                     Phone Network Tests

                     “I don't answer the phone. I get the feeling whenever I do that there will be
                         someone on the other end.” --Fred Couples

                      Phones? Yep, we still use 'em.

                      War-dialing: Using a modem to call every number in your block looking for
                        » Best done at night, or employees may get upset
                      Don't forget VOIP services, Skype IDs, etc
                      Use CallerID spoofing(Check with legal office) and redirection services (google
                       voice, etc) to try to fool helpdesk staff into revealing information/passwords/etc
                       – or to impersonate helpdesk for others

Presentation Title
March 5, 2010
                     Social Engineering / Phishing Tests

                     “"Foolproof systems don't take into account the ingenuity of fools."   — Gene

                      Your users are being socially engineered and phished every day!
                      They are falling for it, pretty regularly.

                      Send your users a phishing email w/ Remote IP that you monitor
                      Check which users download the file
                      Go further! Send them a script to run; the script pings a webserver whose logs
                       you monitor.
                      Again, see who executes the file.
                      Place this file on a USB thumb drive named 'Financials', drop the drive in the
                      Start a Facebook group... find people on LinkedIn... etc.

                     Remedial training needed for employees who respond to phsihing!

                      TIP: Don't make your phishing email TOO good. Make it semi-obvious, or
                       you'll get into tension with what you're trying to accomplish. Remember, it's not
Presentation Title
                       a 'gotcha!' game, it's “This is what to look for our adversaries doing...”
March 5, 2010
                     Walk-throughs and Dumpster Diving
                     “Lack a witty quote here and see if people notice” – Just checking

                      Goal: See what kind of sensitive information your employees are leaving in:
                        » recycling/trash
                        » Printer and copy rooms
                        » Unlocked file cabinets
                        » Unattended “archival” areas

                      Check for unlocked terminals. Check for unlocked but unattended offices w/
                       sensitive information in them

                      Look for macguyvered IT setups in labs, offices, etc

                      Use a cell phone w/ GPS tags in camera (iphone style), or GPS camera to take
                       photos of findings. Will help with mapping problem areas, providing feedback to

Presentation Title    TIP: If you're stopped and questioned by any employees, take their names
—17—                   (after explaining the situation) and be sure to send positive feedback to their
March 5, 2010
                     Walk-throughs and Dumpster Diving

Presentation Title
March 5, 2010
                     Physical security auditing
                     “Knowledge becomes evil only if the aim be not virtuous. “ -- Plato

                      Test the efficacy of your physical security controls. These are the controls we
                       take for granted!

                      Common things to look for:
                        » Double doors unpinned (pull n' open)
                        » Door locks w/ no front plate
                        » Poorly installed door locks
                        » Digital door locks with default passcodes, or malfunctioning latch
                        » Removable floors which extend beyond gateway doors
                        » Ceilings which don't run “all the way”
                        » Are your badge reader door locks fail-safe... or fail-open?
                        » Circuit breakers outside sensitive areas?

                      Remember, the majority of successful security compromises are insiders to the
                        » “TJX, a retail conglomerate, had 94 million credit card numbers stolen by
                          former employees already familiar with security procedures at the company.
Presentation Title
March 5, 2010         Ensure your team has proper safety training for physical walkthroughs.
                     Physical Sec: Safety Considerations
                     “A word to the wise ain't necessary. It's the dumb ones who need the advice!”
                           – Bill Cosby

                      Safety precautions for pen-test team:

                      Buddy system (minimum of 2 testers)
                      Have a management “Bosley” for people to contact, and to run confirmation w/
                      Have cell phone or radio contact with team members at all times
                      Pre-train for safety:

                     ARC's TEAM: Training required per-position

                     Pen-test lead: Hazardous Materials, Confined Space, First Aid & CPR
                     Pen-tester 1: Hazardous Materials
                     Pen-tester 2: Hazardous Materials

Presentation Title
March 5, 2010
                     High Level Outputs

                      Training and awareness
                       » Birds of a Feather
                       » Division and Directorate training

                      Management awareness
                       » Reports sent to Senior Management and anyone with a
                         need to know.
                       » Security Posture reports. What is the centers risk posture?

                      Trends for ARC since inception of program:
                       » Significant decrease in unlocked terminals
                       » Increase in reports of Spam & Phishing to Security Office.
                       » Significant decrease in the amount of Sensitive information
                          being discovered during tests.
                       » More requests for All-Hands training by the Security Office.
Presentation Title     » Significant increase in overall Security Awareness
March 5, 2010

Shared By: